Jump to content

Windows Assembly Microsoft Visual Studio '.dll' files detected as Malware?


User1051

Recommended Posts

Hi all, first time posting - long time loving malwarebytes <3 
Usually if this program tells me something needs removing.. It's gone. 

However this was a strange detection result for me & from a search of the forum came across this thread:
https://forums.malwarebytes.com/topic/274528-possible-false-positives/


Similar files detected in my instance so not sure if this was a 'false Positive' for malware or a legitimate concern. 

Report Text: 

-Log Details-
Scan Date: 5/22/21
Scan Time: 10:00 PM
Log File: 

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1292
Update Package Version: 1.0.40772
License: Free

-System Information-
OS: Windows 10 (Build 19042.985)
CPU: x64
File System: NTFS
User: 

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 525059
Threats Detected: 4
Threats Quarantined: 4
Time Elapsed: 5 hr, 53 min, 41 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 4
Malware.Heuristic.1003, C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\1CC944DD5C124CDEDD729318D7E58A87\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.EXCEL.HOSTADAPTER.V10.0.NI.DLL, Quarantined, 1000001, 0, 1.0.40772, 0000000000000000000003EB, dds, 01256421, 05700506B9AED6903EF06BF16712DCAC, 4D1A9FCDFB49C46E4FEB7B4C286EFE993C4FF9A5A93B1D19B598B2AE60783248
Malware.Heuristic.1003, C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\19AFF3F3EBF30CB55238075BC32615B4\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.HOSTADAPTER.V10.0.NI.DLL, Quarantined, 1000001, 0, 1.0.40772, 0000000000000000000003EB, dds, 01256421, 66004EEDB15CB8B52220358EC422CCE9, 8CFD27F585CD7465DAD5A8EA1F117CC18F03462C765F1249AB0ADC5B7B63B487
Malware.Heuristic.1003, C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\AADA3E538F5D203301A81D61E90ED116\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.WORD.HOSTADAPTER.V10.0.NI.DLL, Quarantined, 1000001, 0, 1.0.40772, 0000000000000000000003EB, dds, 01256421, 190276E91E22A945A900BE5B16A92500, 5C8F088BA43DE04294333346A702FE7ACEF8D377EB84D5398094EF71CFA82215
Malware.Heuristic.1003, C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\220FAF66FC4759A55A1BDC74914E1AC6\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.OUTLOOK.HOSTADAPTER.V10.0.NI.DLL, Quarantined, 1000001, 0, 1.0.40772, 0000000000000000000003EB, dds, 01256421, 0894D466FF653481439470D2FAD707AE, C359F7E88CA7CD5F448C13430715492105BE98D74EC1334088AD919877FDE7CB

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

6 minutes ago, User1051 said:

Malware.Heuristic.1003

Hi,

Do you have "Use expert system algorithms to identify malicious files" enabled? It is located in Settings > Security> Scan option.

This is normally disabled by default.

In either way, Staff will look into this and get this fixed.

Thanks for reporting!

FYI

That setting is to detect malformed files but sometimes legit files use protection that make them malformed. Malwarebytes is still tweaking the algorithms that is why it’s off by default. If you switch it on it is assumed you are able to tell the difference between a FP and a legit detection. 

And if you keep it on I suggest also turn off auto quarantine. Gives you the time to report FP's and not go thru the extra step to have to restore from quarantine.

Link to post
Share on other sites

Hi Porthos & Thanks for your reply!

Yes I do have it enabled, I did see this suggested from the other forum page I linked to above. 
Happy to have it enabled and don't mind the extra step, but that is useful information and thanks for explaining. 

More specifically I am interested in finding out if the files are malware, or as you said if they are legit/safe files

Regards, 

Link to post
Share on other sites

Hi!

I have a similar detection (see below)

So just to be 100% sure. This means i can restore them back from quarantine right? 

Thanks in advance! 

-Log Details-
Scan Date: 5/24/21
Scan Time: 9:41 AM
Log File:  

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1292
Update Package Version: 1.0.40848
License: Premium

-System Information-
OS: Windows 10 (Build 19042.985)
CPU: x64
File System: NTFS
User:  

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 677740
Threats Detected: 4
Threats Quarantined: 4
Time Elapsed: 1 hr, 38 min, 43 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 4
Malware.Heuristic.1003, C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\4F0131AD4B441A105446C9DDB544B8FC\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.OUTLOOK.HOSTADAPTER.V10.0.NI.DLL, Delete-on-Reboot, 1000001, 0, 1.0.40848, 0000000000000000000003EB, dds, 01258883, 0D253FC57CCC8BA974945ABC4D9F2F31, 7F49B1B7182ACF79A3563D9246A524CBCACD80988B95D8D901FABF3FE9449BE6
Malware.Heuristic.1003, C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\687E8136D123ECA3691EB2582CEEDEA0\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.WORD.HOSTADAPTER.V10.0.NI.DLL, Delete-on-Reboot, 1000001, 0, 1.0.40848, 0000000000000000000003EB, dds, 01258883, DDE6FE015F4945DADB34CDED9491C615, 6343192CA9A9694AB32EE7F4E44E6C1532319F0842277BE9D241D9F82804E647
Malware.Heuristic.1003, C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\588585336D397F4D0DC2F2E6A4154F86\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.HOSTADAPTER.V10.0.NI.DLL, Delete-on-Reboot, 1000001, 0, 1.0.40848, 0000000000000000000003EB, dds, 01258883, 35543C9074CDBB641F7D312AA33227B2, 86DF8F4A04FCB58D26430FA1E22B69AFC14126ACC6FF2EF9DF51237DD2401EE6
Malware.Heuristic.1003, C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\7B85F2C927BAEC3EC8E439B6B3D1FB52\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.EXCEL.HOSTADAPTER.V10.0.NI.DLL, Delete-on-Reboot, 1000001, 0, 1.0.40848, 0000000000000000000003EB, dds, 01258883, 3CF9B9DFC7C992339F1D8778AFB2F5E7, 98E1E8D623071E5CF3C7E65FD4E746B38D72186F4425331ADD0F6D30BC095409

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Just now, IArminiusI said:

So just to be 100% sure. This means i can restore them back from quarantine right? 

Yes and also turn off "Use expert system algorithms to identify malicious files"

It is located in Settings > Security> Scan option.

This is normally disabled by default.

  • Thanks 1
Link to post
Share on other sites

On 5/24/2021 at 4:10 PM, AdvancedSetup said:

Please disable the Expert systems setting. Then rescan your system.

image.png

Great, thanks for your reply, Is there some information clarifying the use of "expert system algorithms" 
Like a guide, when to use or not use this feature?  

Link to post
Share on other sites

5 minutes ago, User1051 said:

Great, thanks for your reply, Is there some information clarifying the use of "expert system algorithms" 
Like a guide, when to use or not use this feature?  

FYI. This setting is in the experimental stage. I suggest you keep it off unless you are comfortable dealing with the FP's

That setting is to detect malformed files but sometimes legit files use protection that make them malformed. Malwarebytes is still tweaking the algorithms that is why it’s off by default. If you switch it on it is assumed, you are able to tell the difference between a FP and a legit detection. 

And if you keep it on, I suggest also turn off auto quarantine. Gives you the time to report FP's and not go thru the extra step to have to restore from quarantine.

Edited by Porthos
  • Like 2
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.